There is more bad news this week for the popular OpenSSL implementation of the SSL and TLS protocols, which was made vulnerable in April by the Heartbleed bug. This week we learned that OpenSSL has vulnerabilities that can be exploited by hackers for “Man-in-the-Middle” attacks.
According to an OpenSSL advisory:
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server”
The result is that a remote attacker can insert a process between browser and the server, a so called Man-in-the-Middle, and may be able to decrypt or modify traffic between a client and server.
This problem can be resolved with the application of the following updates:
- OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
- OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
- OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.